jail: protect against strcat buffer overflows

Coverity CID: 1490012 Copy into fixed size buffer

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

1 files changed, 7 insertions, 4 deletions

diff --git a/jail/jail.c b/jail/jail.c
index c02095b..1af0161 100644
--- a/jail/jail.c
+++ b/jail/jail.c
@@ -2186,21 +2186,24 @@ static int parseOCIlinux(struct blob_attr *msg)
 	if (tb[OCI_LINUX_CGROUPSPATH]) {
 		cgpath = blobmsg_get_string(tb[OCI_LINUX_CGROUPSPATH]);
 		if (cgpath[0] == '/') {
-			if (strlen(cgpath) >= (sizeof(cgfullpath) - strlen(cgfullpath)))
+			if (strlen(cgpath) + 1 >= (sizeof(cgfullpath) - strlen(cgfullpath)))
 				return E2BIG;
 
 			strcat(cgfullpath, cgpath);
 		} else {
 			strcat(cgfullpath, "/containers/");
-			strcat(cgfullpath, opts.name); /* should be container name rather than jail name */
-			strcat(cgfullpath, "/");
-			if (strlen(cgpath) >= (sizeof(cgfullpath) - strlen(cgfullpath)))
+			if (strlen(opts.name) + strlen(cgpath) + 2 >= (sizeof(cgfullpath) - strlen(cgfullpath)))
 				return E2BIG;
 
+			strcat(cgfullpath, opts.name); /* should be container name rather than jail name */
+			strcat(cgfullpath, "/");
 			strcat(cgfullpath, cgpath);
 		}
 	} else {
 		strcat(cgfullpath, "/containers/");
+		if (2 * strlen(opts.name) + 2 >= (sizeof(cgfullpath) - strlen(cgfullpath)))
+			return E2BIG;
+
 		strcat(cgfullpath, opts.name); /* should be container name rather than jail name */
 		strcat(cgfullpath, "/");
 		strcat(cgfullpath, opts.name); /* should be container instance name rather than jail name */